Criminals are increasingly practicing targeting trucking and logistics companies to infect remote monitoring and management (RMM) software and ultimately steal cargo for financial gain.
According to Proofpoint, this threat cluster is believed to have been active since at least June 2025 and is said to be working with organized crime groups to infiltrate organizations in the ground transportation industry with the ultimate goal of stealing goods. Food and beverages are the most targeted products for cyber-based robberies.
“Stolen cargo will most likely be sold online or shipped overseas,” researchers Ole Villasen and Serena Larsson said in a report shared with Hacker News. “In the campaigns observed, attackers aim to infiltrate businesses, use unauthorized access to bid on actual shipments of goods, and ultimately steal the goods.”
This campaign shares similarities with a previous series of attacks revealed in September 2024. The attack involved targeting transportation and logistics companies in North America using information theft tools such as Lumma Stealer, StealC, and NetSupport RAT, as well as remote access Trojans (RATs). However, there is no evidence that they are the work of the same attacker.
In the current wave of intrusions detected by Proofpoint, unknown attackers are leveraging multiple methods, including compromising email accounts to hijack existing conversations, targeting asset-based carriers, freight brokers, and integrated supply chain providers with spear-phishing emails, and posting fraudulent cargo listings to load boards using hacked accounts.
“The attackers use compromised accounts to post fraudulent shipment listings on freight boards and then send emails containing malicious URLs to carriers inquiring about their shipments,” the report states. “This tactic takes advantage of the credibility and urgency inherent in freight negotiations.”
Needless to say, the malicious URL embedded within the message leads to a booby-trapped MSI installer or executable that deploys legitimate RMM tools such as ScreenConnect, SimpleHelp, PDQ Connect, Fleetdeck, N-able, and LogMeIn Resolve. In some instances, some of these programs are used together, and PDQ Connect is used to drop and install ScreenConnect and SimpleHelp.
Once they gain remote access, attackers begin reconnaissance of systems and networks, then drop credential harvesting tools such as WebBrowserPassView to obtain additional credentials and penetrate deeper into the corporate network.
In at least one case, the attackers are believed to have used their access to delete existing reservations, block dispatcher notifications, add their devices to the dispatcher’s phone extension, book packages in the compromised carrier’s name, and coordinate transportation.
There are several benefits to using RMM software. First, it eliminates the need for threat actors to invent bespoke malware. Second, the prevalence of such tools in enterprise environments allows them to fly under the radar and typically go unflagged as malicious by security solutions.
“Because it is very easy for attackers to create and distribute attacker-proprietary remote monitoring tools, and because they are often used as legitimate software, end users may be less suspicious of RMM installations than with other remote access Trojans. Additionally, because the installers are often maliciously distributed with signed legitimate payloads, such tools may evade antivirus and network detection,” Proofpoint said. Pointed out in March 2025.
Source link
